14 September 2004
Key Points:
The final Standard issued by APRA will contain the high-level principles governing Business Continuity Management, however, it will be up to the individual companies to create detailed BCP-compliant contracts with their IT service providers.
In the wake of an international movement towards tougher business recovery procedures, the Australian Prudential Regulation Authority ("APRA") has released a draft Prudential Standard on Business Continuity Management ("BCM"). The draft Standard applies to authorised deposit-taking institutions (ADIs - banks, building societies and credit unions), general insurers and life insurance companies and raises significant issues for those companies contracting with IT service providers. The draft was released for public consultation on 12 July 2004 with a view to the issue of a final Standard by late November 2004.
What does the draft Standard propose?
Under the proposed Standard, regulated institutions will be required to:
These requirements are intended to help businesses continue operating not only in the event of emergencies such as terrorist threats and natural disasters, but also loss of key staff and computer system failures. The procedures must be proved on an annual basis, and will be enforced by APRA.
IT under the draft Standard
Many businesses that rely heavily on IT will already have certain recovery measures in place, such as systematic data back up, and these will be fine-tuned under the requirements of the proposed Standard. However, companies will also be encouraged to look beyond data recovery and plan for parallel, remote, systems that can be accessed in the event of an emergency.
There are a number of IT service providers that already make available several off-site recovery buildings for immediate client use in the event of an emergency. Best practice disaster recovery procedures will include access to these recovery buildings that typically are able to withstand prolonged periods without power and offer a private network connecting key staff in the event of a major disruption to business operations.
Issues to consider
The final Standard issued by APRA will contain the high-level principles governing BCM, however, it will be up to the individual companies to create detailed BCP-compliant contracts with their IT service providers. In view of this, regulated companies may need to take into account the following issues in order to meet the requirements of APRA's final Standard:
Overcrowding
It may be necessary for the contract to provide that the external recovery site can only be made available (ie. "on call") to a maximum of, say, two companies that are located in the same building. This will prevent problems arising in the event that an entire building, housing numerous companies, is affected by the emergency. Depending on the size of the recovery site, the potential problem is one of overcrowding - that is, most recovery sites will have been designed to meet the demands of ad hoc system crashes that affect individual companies, not all the companies in one building.
Access levels
Different situations may require different levels of access to the recovery site. Problems that cause the crash of an entire computer system (or, at least, business critical applications) may warrant immediate access, whereas a mere computer glitch may require the BCP to be activated only after a longer nominated notice period. The categorisation of such levels of access should also make the contract more affordable as the service charges will be reduced if access levels are appropriate to the application, and the emergency, in question.
Duration of access
Similarly, in determining the length of time the company may have access to the recovery site, it may also be useful to provide different options to suit the nature of the emergency. Where the company is suddenly left without its offices, many months of access may be appropriate. On the other hand, it may only be a matter of days before a minor computer system failure can be rectified.
Software licences
Some software licences specify a particular site at which the software may be used. The contract must, therefore, provide that in the event of an emergency, the software is able to be used in the nominated recovery location.
Force majeure clauses
Standard contracts often allow parties to escape their contractual obligations when unforseen circumstances, such as a natural disaster or terrorist activity (also known as "Force majeure events") occur. These clauses would defeat the purpose of the BCP and will therefore be inappropriate in a business continuity contract.
Conclusion
The draft Standard by APRA reflects a world in which business operations have become increasingly complex and more vulnerable to unplanned events, and nowhere is this more evident than in the area of IT. The importance for regulated institutions of creating and maintaining a comprehensive BCP for IT systems is reinforced by APRA's proposed Standard. There are certainly many new contractual issues to consider, most of which are expected to be clarified in the coming months by submissions to APRA commenting on the draft Standard.
For further information, please contact Jacqueline McStay.
